Single-page applications often implement OAuth/OIDC directly in the browser. This can work, but it also increases the attack surface and adds complexity that is easy to get wrong.

This talk presents a modern alternative: the Backend-for-Frontend (BFF) pattern. Instead of treating the SPA as the OAuth client, the BFF becomes the client and the browser receives only a secure, HttpOnly session cookie. We will walk through the architecture, the request flows (login, API calls, logout), and practical defenses such as SameSite cookies, cookie prefixing, CORS lockdown, and CSRF protections designed for same-origin SPAs.

Attendees will leave with a clear migration path from “tokens in the browser” to a session-based BFF model, including live ASP.NET Core code and implementation guidance for real-world deployments.

You will learn:

* The real risks of browser-based token handling
* How the BFF pattern works and why it is safer
* How to build SPAs that stay secure without storing tokens in the browser
* Practical implementation guidance and common pitfalls

This talk is for developers working with OpenID Connect and OAuth who want a modern and secure approach to SPA authentication. Live code examples will be shown using ASP.NET Core.

Done once in user-groups in the past. for ASP.NET Core, but most is generic and applicable to developers on all platforms. Consist of mostly presentation and some live demonstrations at the end.